WASHINGTON—As collection and use of information about individuals and its use in marketing and research continues to grow in size and complexity, it is clear that there is no quick and easy way to prevent privacy and security breaches. At a January 30 symposium at Georgetown Law School entitled “Big Data and Big Challenges,” legal experts discussed steps industry and government might take to protect data privacy and security.
Big data has blurred the line between public and private information, said Paul Ohm, a privacy expert and senior policy advisor to the Federal Trade Commission. “We have more sensitive data, collected more of the time, by more people, and almost all of it is unregulated,” said Ohm, who stressed that his comments were his own and not official FTC positions. He predicted that the volume of data being collected and sophistication of collection methods will eventually make it common for individuals to suffer hardships due to the release of sensitive data.
An increasing concern in the privacy debate is that seemingly benign data about individuals can be used to predict future behavior, some of which may be considered sensitive. A high-profile example of such data use emerged in 2012 in a New York Times report about retailer Target’s use of analytics to identify which customers were pregnant resulted in a teenager being sent coupons for baby items. “Lots of facts about you revealed in public, when aggregated, start to reveal private habits,” Ohm said.
It’s also likely that what most individuals consider to be their most sensitive information, such as health-related information used for medical research, is also the most secure, Ohm said. “I worry so much less about medical and health research because we’ve had centuries, if not millennia, to think about things like codes of conduct, common ethics, institutional review boards—all things we do when we engage in human subject review,” he said. “Companies do very little if any of this.”
Getting Business Analysts to Think More Like Researchers
By contrast, the information that people provide in less controlled or uncontrolled venues carries far greater potential to cause harm, Ohm said. One possible solution is for businesses to think more like researchers, he suggested. “I would love to see a move to force companies to think much more about the ethics of what they’re doing, come up with external watchdogs, and look at the number of people within their walls who are allowed to see data and decide whether it raises too much of an unjustifiable risk.”
Government regulation also could play a role. Ohm noted that there have been cases of people losing their jobs because they accessed certain company data, but those cases tend to reach the public only when data breaches occur at hospitals or other institutions that have established internal procedures to deal with breaches. Businesses, he said, may pay closer attention to the issue of internal access if they were required to disclose firings that resulted from data breaches.
Federal legislative action on privacy and data security remains a possibility, but even with security breaches drawing media attention, legislation has yet to make it out of Congress. That could be due to a number of factors, including leadership changes, multiple committees having oversight, and private sector measures to secure commercial data, said Francine Friedman, senior policy counsel with the law firm Akin Gump Strauss Hauer & Feld in Washington.
Federal lawmakers have shown interest in regulating the collection, use, sharing and storage of online data as recently as the 112th Congress, where more than 20 pieces of legislation dealing with data privacy and security, mobile device privacy, cyber security, data storage and breach notification, said The proposals addressed issues such as the sale of data regarding Internet users’ online behavior, data breach safeguards and the legality of employers asking employees and potential employees to provide access to their social media accounts. But Congress did not pass any of these proposals.
“I used to say we’re one breach away from getting a breach notification law,” Friedman said. “There was a series of high-profile breaches. Fortunately, most of the data breaches have been maybe username and email address. Because there are safeguards that companies put into place, which is the right thing for them to do…most of those breaches have not resulted in a lot of harm.”
The Potential for a Data Breach Notification Standard
Industry has shown some interest in a federal standard for breach notification, Friedman said, as most states have data breach notification requirements and many businesses operate in multiple states that may have different requirements. “They want one standard, they don’t want 50 standards,” she said. “That’s the one area where I think there may be some action.”
The prominent role of big data analytics in political campaigns is another possible reason Congress has been slow to move on actions regulating the sharing and use of data, Friedman said. The influence of big data in driving President Obama’s re-election campaign strategy was not lost on either party. “In fact, the [Democratic National Committee] is asking the Obama campaign to please share this treasure trove of information,” Friedman said. “Jumping on the bandwagon, the [Republican National Committee] at their recent meeting said, ‘We need to be better about our collection and use and sharing of data.’ Under Howard Dean, the DNC required all of the states to share their data up.”
The Obama Administration also has said it is exploring ways to address issues of online privacy and security that don’t require Congressional approval, Friedman said. The administration’s “Privacy Bill of Rights” is one example, but the effect of such actions may be limited to raising awareness among consumers, she said.
Christopher Doscher is a writer, editor and executive speechwriter in Laurel, Md.
Home page photo of Georgetown Law School via Georgetown University.